title: Bitlocker Key Retrieval
id: a0413867-daf3-43dd-9255-734b3a787942
description: Monitor and alert for Bitlocker key retrieval.
author: Michael Epping, '@mepples21'
date: 2022/06/28
references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval
logsource:
  product: azure
  service: auditlogs
detection:
  selection:
    Category: KeyManagement
    OperationName: Read BitLocker key
  condition: selection
falsepositives:
  - Unknown
level: medium
status: experimental
tags:
  - attack.valid_accounts
  - attack.t1078